Skip to content

Fix security origin for TokenService#findActiveTokensFor...#47418

Merged
albertzaharovits merged 10 commits intoelastic:masterfrom
albertzaharovits:invalidate_for_user_and_realm
Oct 21, 2019
Merged

Fix security origin for TokenService#findActiveTokensFor...#47418
albertzaharovits merged 10 commits intoelastic:masterfrom
albertzaharovits:invalidate_for_user_and_realm

Conversation

@albertzaharovits
Copy link
Copy Markdown
Contributor

@albertzaharovits albertzaharovits commented Oct 1, 2019

All internal searches (triggered by APIs) across the .security index must be performed while "under the security origin". Otherwise the search is performed in the context of the caller which most likely does not have privileges to search .security (hopefully).
This commit fixes this in the case of two methods in the TokenService and corrects an overly done such context switch in the ApiKeyService.

In addition, this makes all tests from the client/rest-high-level module execute as an all mighty administrator, but not a literal superuser.

Closes #47151

@albertzaharovits albertzaharovits self-assigned this Oct 1, 2019
@elasticmachine
Copy link
Copy Markdown
Collaborator

elasticmachine commented Oct 1, 2019

Pinging @elastic/es-security (:Security/Authorization)

@albertzaharovits
Copy link
Copy Markdown
Contributor Author

albertzaharovits commented Oct 2, 2019

@elasticmachine run elasticsearch-ci/bwc

@albertzaharovits
Copy link
Copy Markdown
Contributor Author

albertzaharovits commented Oct 2, 2019

@elasticmachine run elasticsearch-ci/default-distro

@albertzaharovits
Copy link
Copy Markdown
Contributor Author

albertzaharovits commented Oct 2, 2019

The CI failures had :distribution:bwc:staged:buildBwcLinuxTar FAILED and :distribution:bwc:staged:buildBwcOssLinuxTar FAILED without further details.

@albertzaharovits
Copy link
Copy Markdown
Contributor Author

albertzaharovits commented Oct 2, 2019

@elasticmachine update branch

@tvernum
Copy link
Copy Markdown
Contributor

tvernum commented Oct 4, 2019

Can we add an x-pack test (e.g. a rest yml test) for calling this API without superuser privileges?
I don't like relying on the HLRC to test x-pack API behaviour.

@albertzaharovits
Copy link
Copy Markdown
Contributor Author

albertzaharovits commented Oct 18, 2019

@tvernum @bizybot I have added the suggested tests, may you please take another look?

@albertzaharovits
Copy link
Copy Markdown
Contributor Author

albertzaharovits commented Oct 18, 2019

@elasticmachine test this please

1 similar comment
@albertzaharovits
Copy link
Copy Markdown
Contributor Author

albertzaharovits commented Oct 20, 2019

@elasticmachine test this please

@bizybot
Copy link
Copy Markdown
Contributor

bizybot commented Oct 21, 2019

Hi @albertzaharovits, Thank you for addressing the review comment.
I think we can also add a rest yml test for token service, in the token service rest yml test (10_basic) the user has superuser role we could check with a limited role to test the bug scenario. Thank you.

tvernum
tvernum approved these changes Oct 21, 2019
View reviewed changes
Copy link
Copy Markdown
Contributor

@tvernum tvernum left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@albertzaharovits
Copy link
Copy Markdown
Contributor Author

albertzaharovits commented Oct 21, 2019

Cannot create container for service openldap: error creating overlay mount to /var/lib/docker/overlay2/d0a6805f71915982e997588339be1b2443094ef75d584c8c6d3c5b0f1b7e514a/merged: device or resource busy

 @elasticmachine run elasticsearch-ci/2

@albertzaharovits
Copy link
Copy Markdown
Contributor Author

albertzaharovits commented Oct 21, 2019

@bizybot I have pushed the change as you recommended.

@albertzaharovits
Copy link
Copy Markdown
Contributor Author

albertzaharovits commented Oct 21, 2019

@elasticmachine run elasticsearch-ci/bwc

@albertzaharovits
Copy link
Copy Markdown
Contributor Author

albertzaharovits commented Oct 21, 2019

@elasticmachine run elasticsearch-ci/2

@albertzaharovits
Copy link
Copy Markdown
Contributor Author

albertzaharovits commented Oct 21, 2019

Previous failure (https://gradle-enterprise.elastic.co/s/aulxbxfqrnjxc) tracked under #48258 .

bizybot
bizybot approved these changes Oct 21, 2019
View reviewed changes
Copy link
Copy Markdown
Contributor

@bizybot bizybot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, Thank you.

@albertzaharovits albertzaharovits merged commit 9964d89 into elastic:master Oct 21, 2019
@albertzaharovits albertzaharovits deleted the invalidate_for_user_and_realm branch October 21, 2019 09:18
@albertzaharovits albertzaharovits mentioned this pull request Oct 21, 2019
Merged
albertzaharovits added a commit that referenced this pull request Oct 21, 2019
@albertzaharovits
Fix security origin for TokenService#findActiveTokensFor... (#47418) (#…
69fc715 
…48280)

All internal searches (triggered by APIs) across the .security index
must be performed while "under the security origin". Otherwise,
the search is performed in the context of the caller which most
likely does not have privileges to search .security (hopefully).
This commit fixes this in the case of two methods in the
TokenService and corrects an overly done such context switch
in the ApiKeyService.

In addition, this makes all tests from the client/rest-high-level
module execute as an all mighty administrator,
but not a literal superuser.

Closes #47151
karmi
karmi reviewed Mar 13, 2020
View reviewed changes
x-pack/plugin/src/test/resources/rest-api-spec/test/api_key/11_invalidation.yml
"username": "api_key_user_1"
}
- length: { "invalidated_api_keys" : 1 }
- match: { "invalidated_api_keys.0" : "${user1_key_id}" }
Copy link
Copy Markdown
Contributor

@karmi karmi Mar 13, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The "${user1_key_id}" looks incorrect — all the other "stash" matchers have only $user1_key_id. This breaks for me on the Go client, I'm wondering what the Java runner is doing, so this syntax passes?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@tvernum tvernum tvernum approved these changes

+2 more reviewers

@karmi karmi karmi left review comments

@bizybot bizybot bizybot approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@albertzaharovits albertzaharovits

Labels

>bug :Security/Authorization Roles, Privileges, DLS/FLS, RBAC/ABAC v7.5.0 v8.0.0-alpha1

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Users with only manage_token privilege cannot invalidate tokens by username or realmname

6 participants

@albertzaharovits @elasticmachine @tvernum @bizybot @karmi @jakelandis